一个已脱壳的程序.
第一步验证
00404491 |. /0F84 27000000 je 004044BE JE改成jmp就可以跳开,同样604也可以跳开
00404497 |. |FFB5 E0FEFFFF push dword ptr [ebp-120] ; /hObject
0040449D |. |E8 F8AE0000 call <jmp.&kernel32.CloseHandle> ; \CloseHandle
004044A2 |. |6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
004044A4 |. |68 3D304000 push 0040303D ; |提示
004044A9 |. |68 CF304000 push 004030CF ; |603验证失败或使用时间已到期,请重新购买验证码!
004044AE |. |FF35 04104000 push dword ptr [401004] ; |hOwner = NULL
004044B4 |. |E8 01B00000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004044B9 |. |E9 740C0000 jmp 00405132
004044BE |> \8B85 D7FEFFFF mov eax, dword ptr [ebp-129]
004044C4 |. 8985 6EFDFFFF mov dword ptr [ebp-292], eax
004044CA |. 8B85 DBFEFFFF mov eax, dword ptr [ebp-125]
004044D0 |. 8985 72FDFFFF mov dword ptr [ebp-28E], eax
但是到605错误的时候
00405791 . 80BD ABFCFFFF>cmp byte ptr [ebp-355], 32
00405798 . 0F85 34000000 jnz 004057D2
0040579E . 80BD AAFCFFFF>cmp byte ptr [ebp-356], 30
004057A5 . 0F85 27000000 jnz 004057D2
004057AB . 80BD A9FCFFFF>cmp byte ptr [ebp-357], 30
004057B2 . 0F85 1A000000 jnz 004057D2
004057B8 . 80BD A8FCFFFF>cmp byte ptr [ebp-358], 37
004057BF . 0F84 69000000 je 0040582E
004057C5 . 80BD A8FCFFFF>cmp byte ptr [ebp-358], 38
004057CC . 0F84 5C000000 je 0040582E 这里改了却跳不开,始终是错误605.这是为什么
004057D2 > 6A 01 push 1 ; /Length = 1
004057D4 . 8D85 ABFCFFFF lea eax, dword ptr [ebp-355] ; |
004057DA . 50 push eax ; |Destination
004057DB . E8 1A9C0000 call <jmp.&kernel32.RtlZeroMemory> ; \RtlZeroMemory
004057E0 . 6A 01 push 1 ; /Length = 1
004057E2 . 8D85 AAFCFFFF lea eax, dword ptr [ebp-356] ; |
004057E8 . 50 push eax ; |Destination
004057E9 . E8 0C9C0000 call <jmp.&kernel32.RtlZeroMemory> ; \RtlZeroMemory
004057EE . 6A 01 push 1 ; /Length = 1
004057F0 . 8D85 A9FCFFFF lea eax, dword ptr [ebp-357] ; |
004057F6 . 50 push eax ; |Destination
004057F7 . E8 FE9B0000 call <jmp.&kernel32.RtlZeroMemory> ; \RtlZeroMemory
004057FC . 6A 01 push 1 ; /Length = 1
004057FE . 8D85 A8FCFFFF lea eax, dword ptr [ebp-358] ; |
00405804 . 50 push eax ; |Destination
00405805 . E8 F09B0000 call <jmp.&kernel32.RtlZeroMemory> ; \RtlZeroMemory
0040580A . 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
0040580C . 68 3D304000 push 0040303D ; |提示
00405811 . 68 2B314000 push 0040312B ; |605验证失败或使用时间已到期,请重新购买验证码!
00405816 . FF35 04104000 push dword ptr [401004] ; |hOwner = NULL
0040581C . E8 999C0000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00405821 . FF75 EC push dword ptr [ebp-14] ; /hObject
00405824 . E8 719B0000 call <jmp.&kernel32.CloseHandle> ; \CloseHandle
00405829 . E9 C7160000 jmp 00406EF5
0040582E > 6A 09 push 9 ; /Length = 9
[课程]Android-CTF解题方法汇总!